Recent Success Stories of lemonLDAP::NG Web SSO and identity federation product presented by Orange and Gendarmerie Nationale during OW2con'19, June 12-13 2019 in Paris.
5. 12/06/2019 5
Main features
●
Web Single Sign On
●
Access control
●
Applications portal
●
Authentication modules choice and chain
●
Password management, account creation
●
Multi-factor authentication (MFA)
●
Protection of Web applications and API/WebServices
●
Graphical customisation
●
Packages for Debian/Ubuntu/RHEL/CentOS
10. 12/06/2019 10
Free Software
●
License GPL
●
OW2 project
●
Forge: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
●
Site: https://lemonldap-ng.org
●
OW2 Community Award in 2014
●
SSO component of FusionIAM project: https://fusioniam.org/
11. 12/06/2019 11
Component roles
Configurations Sessions
Portal
Manager Handler
Application
menu
CAS
SAML
OpenID Connect
Self Services
SOAP/REST
server
Session
management
Configurations Sessions
Notifications Second factors
Access Control SSOaaS
Web Service
Token
Custom
13. 12/06/2019 13
CAS, SAML and OpenID Connect
●
LL::NG can act as client and as server
●
Attributes sharing
●
Manage authentication contexts and levels
●
Autogeneration of public/private keys
●
Access control per services
●
Publication of configuration data (metadata)
●
Multi-protocols gateway
●
Single logout
14. 12/06/2019 14
Second Factor Authentication (2FA)
●
LemonLDAP::NG can use the following 2FA:
●
TOTP
●
U2F
●
TOTP or U2F
●
Mail
●
External
●
REST
●
Yubikey
15. 12/06/2019 15
DevOps (SSO as a Service)
Sessions
Portal
Handler
Web Application
Authentication
Session creation
Session read
SSO cookie
HTTP headers
rules
.json
Access rules
Exported headers
16. 12/06/2019 16
API – Service Token
Sessions
Portal
Handler
Web Application
Authentication
Session creation
Session read
SSO cookie
HTTP headers
Token
Handler
Service Token
Web Service Token
HTTP headers
Session read
18. 12/06/2019 18
RENATER / eduGAIN
●
Support of RENATER / eduGAIN via SAML2:
●
Service Provider
●
Identity Provider
●
Call to Identity Provider selection page (WAYF) via SAML
Discovery Protocol
●
Metadata bulk import script
19. 12/06/2019 19
Plugin engine
●
Portal code was fully rewritten, and it now allows to write
plugins
●
Plugin examples, provided by default:
●
Auto Signin: direct authentication for some IP
●
Brute Force: protect against brute-force attacks
●
Stay Connected: "remember me" button
●
Public Pages: create static pages using portal skin
●
Impersonation: take the identity of another user
●
Write a custom plugin:
https://lemonldap-ng.org/documentation/latest/plugincustom
21. 12/06/2019 2105/06/2019
Orange is a complex environment…
With many people and kind of skills With thousands applications In a full motion environment
22. 12/06/2019 22
Orange is a complex environment in complex
world…
§ Orange made or bought.
§ Including SSO
compatibility or not.
§ Accessible from Internet
or Intranet.
§ Security access level
specific for each.
§ Each application has its
own livecyle.
§ Our users want the same
quality on work tools
than on the personnal
offer on Internet.
§ Rise of « fashion tool ».
Long time parthnerships
§ Orange people
§ Contractors
§ Partners
§ Universities
On demand relationships
§ Freelances with few days
contracts
With many people and kind of skills With thousands applications In a full motion environment
23. 12/06/2019 23
…With the constraints and needs than
others…
Manage all
identification /
authentication
cases
Manage all
identification /
authentication
cases
Allow access
from different
contexts
Allow access
from different
contexts
Keep things as
transparent as
possible for users
Keep things as
transparent as
possible for users
Manage all kinds
of users
Manage all kinds
of users
Provide many
types of protocols
Provide many
types of protocols
Guaranty high
security level
Guaranty high
security level
Flexible to
support futur
Flexible to
support futur
Guaranty a
high
availability
level
Guaranty a
high
availability
level
Keep It Complex
Stupid
Keep It Complex
Stupid
Simple
Have a single
system to
authenticate users
Have a single
system to
authenticate users
24. 12/06/2019 24
…So we are building a scalable
LemonLDAP::NG infrastructure…
ConfigConfig
SessionsSessions
ConfigConfig
SessionsSessions
Kerber
os
Kerber
os
11
then
if user come from internal
SAML
A
P
P
L
I
C
A
T
I
O
N
S
A
P
P
L
I
C
A
T
I
O
N
S
E
X
T
E
R
N
A
L
E
X
T
E
R
N
A
L
I
N
T
E
R
N
A
L
I
N
T
E
R
N
A
L
HA
int
HA
int
Lemon
int 1
Lemon
int 1
Lemon
int 2
Lemon
int 2
HA
ext
HA
ext
Lemon
ext 1
Lemon
ext 1
Lemon
ext 2
Lemon
ext 2
OidCOidC
22 REST
LDAP
REST
LDAP
33
LDAPLDAP
44
External
accounts
External
accounts
Orange
accounts
Orange
accounts
25. 12/06/2019 25
...And we are at the beginning of the journey...
We have tested LemonLdap in real conditions on many applications used by innovation
people:
26. 12/06/2019 26
…Under industrialisation by a specialized
team.
Another
team to
« build »
Another
team to
« build »
First team to
« think »
First team to
« think »
- Test LemonLdap
and try to get its
limits
- Test the potential
architectures
- Test intégration
with about 20
applications
(gitlab,
nextcloud, jira &
confluence,
Dokuwiki,
Apache 2,
Flexible Engine,
Grafana,
WebCom,
WordPress,
OpenStack…).
- Test authentication
protocols and
ways (OTP, …)
- Test LemonLdap
and try to get its
limits
- Test the potential
architectures
- Test intégration
with about 20
applications
(gitlab,
nextcloud, jira &
confluence,
Dokuwiki,
Apache 2,
Flexible Engine,
Grafana,
WebCom,
WordPress,
OpenStack…).
- Test authentication
protocols and
ways (OTP, …)
- Get the results of the previous
level to create an « industrial
solution » able to support
millions people.
- Get the results of the previous
level to create an « industrial
solution » able to support
millions people.
Final team
to« Run »
Final team
to« Run »
27. 12/06/2019 27
Orange-Worteks Partnership
●
Worteks offers a framework contract for support around
LemonLDAP::NG and other free softwares, with two parts:
●
Incident management: a ticket can be opened to solve any fault on a
production or development system (business hours)
●
Evolutions: a request can be done to fix bugs or code new features in
the software
●
Any Orange Business Unit can request a contract, prices are
already defined
●
It can then contribute to LemonLDAP::NG roadmap by
requesting evolutions
28. 12/06/2019 2805/06/2019 28
Thanks to all the contributors
Thank you to all the contributors to this project, for their competence, their good humor and their motivation that
are overcoming all the problems that veinly tried to stand up against us:
●
The LemonLDAP::NG Team (Clément, Xavier and all the others).
●
Worteks for the support.
●
Orange internal contributors : Christian P., Laurence T. , Daniel V., David M., Ronan H.B., Aurelien
P., Alexandre L., Jean-Louis F.
●
All others success keys in this project:
30. 12/06/2019 30
History
●
2002: First WebSSO GN (SiteMinder)
●
Licencing cost : 90 k€/year for 5000 users (target ~1 M€/year)
→ Take LemonLDAP over from the Ministry of finance
●
2005: Development of LL::NG (fork), SSO now used by (almost)
all civil services
32. 12/06/2019 32
Technical team for all ST(SI) SSO²
●
X. Guimard : Lead developer LL::NG
●
S. Marcq : Project manager
●
A. Rosier & C.Maudoux : developers and administrators